MinIO

New MinIO instance

The follow describes the process for adding a new MinIO instance to the DAaaS environment.

1. Deploy the instance in the minio-operator repo

2. Setup the Vault MinIO secret engine in the terraform repository

   a. secret_minio_*.tf (defines the secret engine which will allow issuance of MinIO keys)
   b. policy_boathouse.tf (grant access to boathouse)
   c. policy_goofys_injector.tf (grant access to the goofys injector)
   d. policy_minio.tf
   e. policy_profile_configurator.tf (grant access to the profile configurator to setup roles)
   f. .github/workflow (add new secrets)
   

   The variables come from two Kubernetes resources:

   # _ENDPOINT ($HOST without https://)
   kubectl -n $INSTANCE_NAMESPACE get ing
   
   # _ACCESS_KEY and _SECRET_KEY
   kubectl -n $INSTANCE_NAMESPACE get secret $INSTANCE-minio -o yaml
   # _ACCESS_KEY = data.accesskey (base64 decode)
   # _SECRET_KEY = data.secretkey (base64 decode)
   

3. Update the kubeflow-controller

   This is a configuration-only update. There is a GitHub secret on the repository called MINIO_INSTANCES, which refers to the name of the secret engine in Vault (example: minio_minimal_tenant1).

   This is a comma-separated list: minio_minimal_tenant1,minio_pachyderm_tenant1,minio_premium_tenant1

   Once updated, trigger a re-deployment of the kubeflow-controller by re-running the last action run.

4. Update MinIO credential injector

   Add additional patches: https://github.com/StatCan/minio-credential-injector/blob/master/mutate.go#L52

5. Update Goofys Injector

   Add additional patches: https://github.com/StatCan/goofys-injector/blob/master/mutate.go#L161